c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

freifunk: get backbone tunnel to work

This commit is contained in:
Astro 2022-03-23 22:46:22 +01:00
parent 9d4afa5870
commit 66a3255d3d
1 changed files with 31 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
hosts/containers/freifunk/default.nix
View File

@ -7,6 +7,7 @@ let
meshInterface = "bmx";
meshLoopback = "bmx_prime";
ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php";
ddmeshBroadcast = "10.255.255.255";
inherit (pkgs.c3d2-freifunk) ddmeshRegisterKey;
ddmeshNode = 51073;
ddmeshAddrPart = "200.74";
@ -19,7 +20,7 @@ let
upstreamMark = 3;
rt_table_upstream = 100;
vpn6AddrPart = "200.2";
node51001AddrPart = "200.2";
in {
imports = [
"${modulesPath}/profiles/minimal.nix"
@ -60,6 +61,8 @@ in {
${pkgs.iptables}/bin/iptables -t nat -F POSTROUTING
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \
\! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart}
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \
\! --source 10.200.0.0/15 -o ipip-node51001 -j SNAT --to 10.200.${ddmeshAddrPart}
${pkgs.iptables}/bin/iptables -t nat -o bat0 -A POSTROUTING -j MASQUERADE
set -e
'';
@ -75,7 +78,7 @@ in {
'';
};
environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools ];
environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools iperf ];
sops.secrets."wireguard/vpn6/privateKey" = {
group = "systemd-network";
@ -83,10 +86,13 @@ in {
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# unbreak wg-vpn6 ingress path
boot.kernel.sysctl."net.ipv4.conf.core.rp_filter" = 0;
systemd.network = {
netdevs = {
# Dummy interface for primary (10.200) address
bmx-prime = {
"10-bmx-prime" = {
enable = true;
netdevConfig = {
Kind = "bridge";
@ -94,11 +100,12 @@ in {
};
};
# Freifunk Dresden Backbone
wg-vpn6 = {
"31-wg-vpn6" = {
enable = true;
netdevConfig = {
Name = "wg-vpn6";
Kind = "wireguard";
MTUBytes = "1320";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path;
@ -111,19 +118,19 @@ in {
# vpn6.freifunk-dresden.de
Endpoint = "85.195.253.169:5006";
PublicKey = "CIJa7xiRRIrLtEB7uyzwoyaQcpe0b8F2d16+3hk8KjU=";
AllowedIPs = "10.203.${vpn6AddrPart}/32";
AllowedIPs = "10.203.0.0/16";
};
} ];
};
ipip-vpn6 = {
"32-ipip-node51001" = {
enable = true;
netdevConfig = {
Name = "ipip-vpn6";
Name = "ipip-node51001";
Kind = "ipip";
};
tunnelConfig = {
Local = "10.203.${ddmeshAddrPart}";
Remote = "10.203.${vpn6AddrPart}";
Remote = "10.203.${node51001AddrPart}";
};
};
};
@ -133,7 +140,10 @@ in {
enable = true;
matchConfig = { Name = meshInterface; };
addresses = [{
addressConfig.Address = "10.201.${ddmeshAddrPart}/16";
addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = ddmeshBroadcast;
};
}];
};
# Dummy interface for primary (10.200) address
@ -148,17 +158,19 @@ in {
enable = true;
matchConfig.Name = "wg-vpn6";
addresses = [{
addressConfig.Address = "10.203.${ddmeshAddrPart}/32";
addressConfig.Address = "10.203.${ddmeshAddrPart}/16";
}];
routes = [ {
routeConfig.Destination = "10.203.${vpn6AddrPart}/32";
} ];
# reverse dependency
networkConfig.Tunnel = [ "ipip-node51001" ];
};
"32-ipip-vpn6" = {
"32-ipip-node51001" = {
enable = true;
matchConfig.Name = "ipip-vpn6";
matchConfig.Name = "ipip-node51001";
addresses = [{
addressConfig.Address = "10.201.${ddmeshAddrPart}/16";
addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = ddmeshBroadcast;
};
}];
};
# ZW
@ -180,6 +192,8 @@ in {
FirewallMark = upstreamMark;
};
} ];
# reverse dependency
networkConfig.Tunnel = [ "wg-vpn6" ];
};
};
};
@ -200,7 +214,7 @@ in {
-r 3 --gateway_hysteresis 20 \
dev=${meshLoopback} /linklayer 0 \
dev=${meshInterface} /linklayer 1 \
dev=ipip-vpn6 /linklayer 1
dev=ipip-node51001 /linklayer 1
'';
Restart = "always";
};